7 Rationale
7.3 Security requirements rationale
7.3.1 Dependency analysis
Table 14 – TOE SFR dependency demonstration
SFR Dependency Inclusion
FCS_CKM.1 [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1 FCS_CKM.4
FCS_COP.1a [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1 FCS_CKM.4
FCS_COP.1b [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1 FCS_CKM.4
FCS_COP.1c [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1 FCS_CKM.4
SFR Dependency Inclusion FCS_COP.1d [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1 FCS_CKM.4
FCS_COP.1e [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1 FCS_CKM.4
FCS_CKM.4 [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation]
FCS_CKM.1
FDP_ACC.1a FDP_ACF.1 Security attribute based access control FDP_ACF.1 FDP_ACF.1a FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialisation
FDP_ACC.1 FMT_MSA.3
FDP_IFC.1 FDP_IFF.1 Simple security attributes FDP_IFF.1
FDP_IFF.1 FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialisation
FDP_IFC.1 FMT_MSA.3
FTP_ITC.1 No dependencies. N/A
SFR Dependency Inclusion FDP_ACC.1a FDP_ACF.1 Security attribute based access control FDP_ACF.1 FDP_ACF.1a FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialisation
FDP_ACC.1 FMT_MSA.3
FIA_AFL.1 FIA_UAU.1 Timing of authentication FIA_UAU.1
FIA_ATD.1 No dependencies. N/A
FIA_SOS.1 No dependencies. N/A
FIA_UAU.1 FIA_UID.1 Timing of identification Not included – see rationale below.
FIA_UAU.7 FIA_UAU.1 Timing of authentication FIA_UAU.1
FIA_SSL.1.EX FIA_UAU.1 Timing of authentication FIA_UAU.1
FIA_SSL.2.EX FIA_UAU.1 Timing of authentication FIA_UAU.1
FMT_MOF.1a FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 FMT_SMF.1 FMT_MSA.1a [FDP_ACC.1 Subset access control,
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FDP_ACC.1 and FDP_IFC.1 FMT_SMR.1 FMT_SMF.1
SFR Dependency Inclusion FMT_MSA.1b [FDP_ACC.1 Subset access control,
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FDP_ACC.1 and FDP_IFC.1 FMT_SMR.1 FMT_SMF.1 FMT_MSA.1c [FDP_ACC.1 Subset access control,
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FDP_ACC.1 and FDP_IFC.1 FMT_SMR.1 FMT_SMF.1 FMT_MOF.1b FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 FMT_SMF.1 FMT_MSA.3a FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
FMT_MSA.1 FMT_SMR.1 FMT_MSA.3b FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
FMT_MSA.1 FMT_SMR.1 FMT_MSA.3c FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
FMT_MSA.1 FMT_SMR.1
FMT_SMF.1 No dependencies. N/A
FMT_SMR.1 FIA_UID.1 Timing of identification Not included – see rationale below.
7.3.2 Rationale for not addressing all dependencies
97 FIA_UID.1 is a dependency of FIA_UAU.1 and FIA_SMR.1 that has not been included. The TOE is a single‐user operating system and the implementation of a user identifier associated with the Mobile User is therefore redundant.
7.3.3 Rationale for explicit security functional requirements
Table 15 – Rationale for explicitly stated security functional requirements
Explicit SFR Based on Dependency Rationale
FTA_SSL.1‐EX TSF‐initiated session lock
And
FTA_SSL.2‐EX – User‐
initiated locking
FTA_SSL.1 TSF‐initiated session lock
and
FTA_SSL.2 – User‐initiated locking
FIA_UAU.1 The TOE does not wipe clear the user interface after a session lock as there are a number of activities that can be performed on the TOE prior to successful authentication by a Mobile User (see FIA_UAU.1). This functionality needs to be maintained after a session lock.
The modification of the base SFRs FTA_SSL.1 and FTA_SSL.2 could not be considered a refinement. Therefore, this modification had to be stated as an explicit SFR.
The SFR is measurable and compliance or noncompliance can be readily determined. Additionally, as the requirement does not differ significantly from the base SFR the statement of
requirement can be considered clear and unambiguous. The dependency for FTA_SSL.1 has also been retained.
7.3.4
7.3.5 TOE IT requirements correspondence
Table 16 – Mapping TOE SFRs to objectives
Objective SFRs Demonstration
O.COMMS_CONF FCS_CKM.1
FCS_COP.1a FCS_COP.1b FCS_COP.1e FCS_CKM.4
FCS_CKM.1 provides support for implementing communications that have both confidentiality and integrity security properties.
FCS_COP.1a implements cryptographic operations for providing secure communications with the enterprise and/or network environment.
FCS_COP.1b implements cryptographic operations for providing secure email capability.
FCS_COP.1e implements cryptographic operations for providing secure communications with the enterprise and/or network environment.
FCS_CKM.4 provides support for implementing communications that have both confidentiality and integrity security properties.
FCS_CKM.1, FCS_COP.1a, FCS_COP.1b and FCS_CKM.4 combine to ensure that the O.COMMS_CONF objective is met.
O.COMMS_INT FCS_CKM.1
FCS_COP.1a FCS_COP.1b FCS_COP.1e FCS_CKM.4
FCS_CKM.1 provides support for implementing communications that have both confidentiality and integrity security properties.
FCS_COP.1a implements cryptographic operations for providing secure communications with the enterprise and/or network environment.
FCS_COP.1b implements cryptographic operations for providing secure email capability.
FCS_COP.1e implements cryptographic operations for providing secure communications with the enterprise and/or network environment.FCS_CKM.4 provides support for implementing
communications that have both confidentiality and integrity security properties.
Objective SFRs Demonstration
FCS_CKM.1, FCS_COP.1a, FCS_COP.1b and FCS_CKM.4 combine to ensure that the O.COMMS_INT objective is met.
O.CODE_CTRL FDP_ACC.1a
FDP_ACF.1a
FDP_ACC.1a provides the basis for implementing an access control policy that ensures only permitted applications can be installed and executed on the TOE.
FDP_ACF.1a provides the security policy statements designed to govern the control of applications when being installed or executed on the TOE.
FDP_ACC.1a and FDP_ACF.1a combine to ensure that the O.CODE_CTRL objective is met.
O.MGMT_AUTH FDP_ACC.1b
FDP_ACF.1b
FDP_ACC.1b provides the basis for establishing a security policy within the TOE for controlling the configuration of the Mobile Device.
FDP_ACF.1b provides the security policy statements to support the implementing of device configuration control for the TOE.
FDP_ACC.1b and FDP_ACF.1b combine to ensure that the O.MGMT_AUTH objective is met.
O.USER_AUTH FIA_ATD.1
FIA_UAU.1 FIA_UAU.7
FIA_ATD.1 provides the set of security attributes that must be associated with a Mobile User to enable Mobile Device Authentication.
FIA_UAU.1 provides the capability for the TOE to be able to offer a number of display notifications and essential services prior to requiring a Mobile User Authentication event. This enables the TOE to operate as a mobile messaging solution without compromising TSF or user data.
FIA_UAU.7 provides detailed information relating to feedback that can be provided to the user when conducting a Mobile User Authentication event.
FIA_ATD.1, FIA_UAU.1 and FIA_UAU.7 combine to ensure that the O.USER_AUTH objective is met.
O.REMOTE_ADMIN FDP_IFC.1 FDP_IFF.1 FTP_ITC.1
FDP_IFC.1 provides the basis for implementing a policy within the TOE for controlling the flow of information, mailbox item and SCMDM policy, between the TOE and the enterprise environment.
FDP_IFF.1 implements the policy that governs the flow of information between the TOE and the
Objective SFRs Demonstration FMT_MOF.1a
FMT_MSA.1a FMT_MSA.1b FMT_MSA.1c FMT_MOF.1b FMT_MSA.3a FMT_MSA.3b FMT_MSA.3c FMT_SMF.1
enterprise environment, including TSF and user data.
FTP_ITC.1 provides the capability to support a trusted and secure channel between the TOE and the enterprise environment so that the TOE is able to access enterprise information in a secure manner.
FMT_MOF.1a provides the restrictions that are necessary for protecting the management and configuration of the device data protection functionality of the TOE.
FMT_MSA.1a provides the restrictions that are necessary for protecting the management and configuration of the device application control functionality of the TOE.
FMT_MSA.1b provides the restrictions that are necessary for protecting the management and configuration of the secure enterprise access functionality of the TOE.
FMT_MSA.1c provides the restrictions that are necessary for protecting the management and configuration of the device configuration control functionality of the TOE.
FMT_MOF.1b provides the restrictions that are necessary for protecting the management of the device access control functionality of the TOE.
FMT_MSA.3a provides restrictions and controls for managing security attributes associated with the device application control security policy.
FMT_MSA.3b provides restrictions and controls for managing security attributes associated with the secure enterprise access security policy.
FMT_MSA.3c provides restrictions and controls for managing security attributes associated with the device configuration control security policy.
FMT_SMF.1 provides a specification for the set of device security management functions that are required to support the secure administration and operation of the TOE.
FDP_IFC.1, FDP_IFF.1, FTP_ITC.1, FMT_MOF.1a, FMT_MSA.1a, FMT_MSA.1b, FMT_MSA.1c, FMT_MOF.1b, FMT_MSA.3a, FMT_MSA.3b, FMT_MSA.3c and FMT_SMF.1 all combine to ensure that the O.REMOTE_ADMIN objective is met.
Objective SFRs Demonstration
O.SECRET FIA_SOS.1 FIA_SOS.1 provides the capability for the TOE to implement strong password policies in response to settings to be established by the Enterprise Administrator.
O.LOCAL_WIPE FIA_AFL.1 FIA_AFL.1 provides the requirement for the TOE to implement a secure wipe of all user and TSF data in response to an Enterprise Administrator configurable number of failed authentication attempts.
O.ROLES FMT_SMR.1 FMT_SMR.1 provides a specification of the various roles that the TOE is required to recognize and apply.
O.DATA_ENCRYPT FCS_CKM.1 FCS_COP.1c FCS_COP.1d FCS_CKM.4
FCS_CKM.1 supports data encryption by providing key generation functions.
FCS_COP.1c implements cryptographic operations for providing data encryption services for data at rest on removable storage cards to support the need for encrypting user and/or TSF data.
FCS_COP.1d implements cryptographic operations for providing data encryption services for data at rest on the Mobile Device to support the need for encrypting user and/or TSF data.
FCS_CKM.4 supports data encryption by providing a method for securely destroying generated keys.
FCS_CKM.1, FCS_COP.1c, and FCS_CKM.4 combine to ensure that the O.DATA_ENCRYPT objective is met.
O.SESSION_LOCK FTA_SSL.1.EX FTA_SSL.2.EX
FTA_SSL.1.EX provides the ability to lock and interactive session after an Enterprise Administrator specified period of time.
FTA_SSL.2.EX provides the Mobile User with the ability to lock a current interactive session so that authentication is required to unlock Mobile Device.
FTA_SSL.1.EX and FTA_SSL.2.EX combine to ensure that the O.SESSION_LOCK objective is met.
O.REMOTE_WIPE FDP_IFC.1 FDP_IFC.1 ensures that the Mobile Device can accept a remote wipe command from the
Objective SFRs Demonstration
FDP_IFF.1 Enterprise Administrator through SCMDM.
FDP_IFF.1 implements the policy that governs the flow of information between the TOE and the enterprise environment and allows the application of the remote wipe command.
FDP_IFC.1 and FDP_IFF.1 combine to ensure that the O.REMOTE_WIPE objective is met.
O.MANAGEMENT FMT_SMF.1 FMT_SMF.1 ensures that the Enterprise Administrator is capable of configuring security and operational policy settings that cannot be modified by the user.
7.3.6 TOE assurance requirements
98 This ST contains the assurance requirements from the CC EAL4 assurance package augmented with ALC_FLR.1. Augmentation was chosen to provide the added assurance that is provided by defining flaw remediation procedures. This ST is based on good rigorous commercial development practices and has been developed for a general environment for a TOE that is readily available and does not require modification to meet the security needs of the environment specified in this ST.
99 The EAL chosen is based on the statement of the security environment (threats, organizational policies, assumptions) and the security objectives defined in this ST. The sufficiency of the EAL chosen is justified based on those aspects of the environment that have impact upon the assurance needed in the TOE. Specifically, that the TOE will not process information that requires protection from attackers possessing a high or moderate attack potential, and that protection from obvious vulnerabilities is required.
7.3.7 Demonstration of mutual support
100 The dependency analysis provided at Table 14 and the analyses provided in Table 16 and Table 17 demonstrate that the IT security functions work together to satisfy the stated security functionality of the TOE.
101 The demonstration of the implementation of the majority of dependencies, and a suitable rationale for those dependencies that have not been implemented, demonstrates mutual support between security requirements, and therefore, the security functions and mechanisms that implement them.